New to Qlik Sense

hlines_usacs · ‎2018-05-04

Hello,

I want to hide a chart on a sheet when the user is a member of a specific Active Directory group.

Is this possible in version 3.2.4? If yes, what is the best way to implement?

If not, what version do I need?

Thanks!

hlines_usacs · ‎2018-05-14

We ended up doing a few things to solve this issue.

1. We upgraded to the most recent version.

2. I made a duplicate of the sheet that has the charts we want to show or hide based on the AD group. One sheet has 4 charts, and the other has 2. The second sheet has an extra space in the sheet name in order to differentiate.

3. We disabled the default STREAM security rule, but added a rule for each of the streams. These new security rules were copies of the default, but a filter added for the stream it was for.

4. We added a new security rule and used the conditions below. "Production" is the name of the stream, AD Group does not see "SheetA", and AD Group Limited does not see "Sheet A" (space between sheet and A).

Conditions for security rule:

(resource.resourcetype = "App" and resource.stream.HasPrivilege("read")) or ((resource.resourcetype = "App.Object" and resource.published ="true" and resource.objectType != "app_appscript" and resource.objectType != "loadmodel") and resource.app.stream.HasPrivilege("read")) and (resource.stream.name="Production" or resource.app.stream.name="Production") and

(resource.objectType != "sheet" or resource.name != "SheetA" or user.group="AD Group") and

(resource.objectType != "sheet" or resource.name != "Sheet A" or user.group="AD Group Limited")

View solution in original post

Digvijay_Singh · ‎2018-05-04

I don't think you can hide a chart based on Group but you can hide dimensions used by the chart using Section access OMIT feature. The side effect is all the chart using these OMIT dimensions for a group will not render.

If the group field is available somehow in data model, may be in chart calculation condition it can be used to stop chart calculation.

hlines_usacs · ‎2018-05-07

I would prefer not to use the OMIT feature.

Is it possible to hide a specific sheet?

jonathandienst · ‎2018-05-07

Not for an AD group. You can use a conditional with OSUser() to get the users's login name, but there is no way to get to the AD group short of using section access. Perhaps you could create an island flag field and select 1 or 0 using section access and then use the value of the flag to conditionally show/hide the sheet. i have not tested this personally.

Logic will get you from a to b. Imagination will take you everywhere. - A Einstein

hlines_usacs · ‎2018-05-07

Thanks. How would you use Section Access to hide a sheet from an AD group? We have our AD groups loaded and refreshed on a schedule.

pawwy1415 · ‎2018-05-07

Hi,

You can achieve this by security rules in QMC.

Please refer this BLOG, It has detail level of information how to achieve Sheet and App Object level security rules:

Sheet or App Object Level Security Qlik Sense

hlines_usacs · ‎2018-05-07

Thanks! Yes - I found that article. As I was reading through the beginning, it starts from scratch by installing Qlik Sense. Step number 4.1 says to disable the default STREAM security rule. I am not starting from a brand new install. I already have multiple streams and apps in production that users are using. If I disable this STREAM security rule, does it affect my other streams? If so, how does it affect them?

pawwy1415 · ‎2018-05-07

Hi,

Long back i have worked on this sheet level section access. That time we have disabled the default stream rule first then to Keep the Existing Stream Rule functionality, in addition, to adding sheet level section access Created one more Customized Stream rule like below.

This rule substitutes the default 'Stream' security rule with an exemption of Apps where SheetLevelSecurity is ON means created one custom property with SheetLevelSecurity and given the value as ON. Next applied this ON value to the apps where this default rule need to avoid.

For avoiding sheets given description as APP_RESTRICTED

Name: CUSTOM_STREAM_ACCESS

Resource Filter: App*

Action: Read

Condition:

(resource.resourcetype = "App” and resource.@SheetLevelSecurity != "ON"and resource.stream.HasPrivilege("read"))

or

((resource.resourcetype = "App.Object" and resource.published = "true" and resource.objectType != "app_appscript"

and resource.objectType != "loadmodel" and (resource.description != "APP_RESTRICTED"))

and resource.app.stream.HasPrivilege("read"))

Context: Both in hub and QMC

hlines_usacs · ‎2018-05-07

How did you define the SheetLevelSecurity custom property? I don't currently have any custom properties, so if I wanted to create one for SheetLevelSecurity, how would I do that?

pawwy1415 · ‎2018-05-07

Hi,

We have to create the custom property as per our use case.

Log into QMC and navigate to Custom Properties section
Click on ‘Create new’
Enter name i.e. ‘SheetLevelSecurity‘ with Apps as Resource Type and Corresponding values for example ON/OFF.
Click on Apply
Then assign this Custom property Sheet Level Security = ON to your section access app in the APPs tab so as per the custom stream rule it will exclude this particular app from the default functionality.

6. One more thing is on which sheet we have to apply the section access for that sheet add APP_RESTRICTED under Description like below.

So as per the below rule in the app which contains SheetLevelSecurity = "ON" and sheet description has APP_RESTRICTED those sheets will hide.